Sy General Development 


1 Introduction 


This document covers an early version of my research into work concerning structures related to skew 
polynomials (skew-poly or Sy development), specifically Drinfeld modules. 

Since Skew polynomials are useful in coding theory, I have included some sample documents related 
to ”game gen” that I have used ot test coding schemas. 

Drinfeld modules were first introduced by Vladimir Drinfel’d in order to prove the Langlands conjec- 
ture for GL,, over a global function field [Dri74]. Since then, Drinfeld modules have attracted attention 
due to the well established correspondence between elliptic curves and the rank two case. Moreover, 
the rank one case, often referred to as Carlitz modules, provides a function field analogy of cyclotomic 
extensions. The role played in class field theory over number fields by elliptic curves with complex 
multiplication shows strong parallels with that of Drinfeld modules of rank two for the function field 
setting. This has motivated efforts to translate constructions for elliptic curves, including modular 
polynomials [CGS20], isogeny structures [CGS20], [Wes22], and endomorphism rings [KP16], [GP18]. 
Naturally, cryptographic applications of Drinfeld modules have also been explored [LS22], but were 
long anticipated to be vulnerable for public key cryptography based on isogenies [Sca01], [JN19]. This 
question was finally put to rest by Wesolowski who showed that isogenies between Drinfeld modules 
of any rank could be computed in polynomial time [Wes22]. 

Drinfeld modules of rank r > 2 do not have such a clear parallel, though an analogy of abelian surfaces, 
that of so called t-modules, does exist. Owing to this discrepancy, rank two Drinfeld modules have 
been studied far more closely than the case of more general ranks. 

The main goal of this work is to study a Drinfeld module analogy of Kedlaya’s algorithm [Ked01] 
for computing the characteristic polynomial of the Frobenius endomorphism acting on a hyperelliptic 
curve over a finite field. This is done by computing the action on a basis of a particular subspace of 
characteristic 0 lifting of the de Rham cohomology with coefficients in Q,. Our approach follows a 
very similar outline, but turns out to be remarkably simpler to describe. 

More generally, the algorithm we present can be used to compute the characteristic polynomial of any 
Drinfeld module endomorphism, though the complexity gains are more significant for the particular 
case of the Frobenius map. 


2 Background, Basic Definitions, and the Main result 


2.1 Basic Preliminaries 


Let R be any ring, r € R, anda: R > R' aring homomorphism. We will follow the notational 
convention o(r) = o, = r? throughout this work. If R is a polynomial ring and o acts on its 
coefficient ring, r? denotes coefficient-wise application. 


2.2. Drinfeld Modules 


let F, denote a finite field of order qg and let L be a degree n extension of F, represented concretely as 
L = F,[z]/(€(z)). A general setting for Drinfeld modules can be defined over a ring A consisting of 


the functions of a projective curve over F, that are regular outside of a fixed place of infinity. For our 
purposes, we will restrict ourselves to the consideration of Drinfeld modules defined over the regular 
function ring of P! — {oo}; that is A = F,[z]. Moreover, we fix a ring homomorphism y : A > L and 
let p € A the monic irreducible generator of ker y. Then F, = F,[x]/(p) is isomorphic to a subfield of 
. and let m = [L: F,]. 


Definition 2.1. A Drinfeld A-module of rank r over over (L,y) is a ring homomorphism @: A —> 
{rv} such that 


bz = Ye + Arti +... + Apt” 
with A, #0. 


For readers interested in understanding the more general setting under which Drinfeld modules are 
typically defined, we recommend the survey by Deligne and Huseméller in [DH87]. 

A Drinfeld module is defined over the prime field when L = Fy. Algorithms for Drinfeld modules 
in the prime field case tend to be algorithmically simpler, and we will often highlight the distinction 
with the more general case. 


Example 1. Let F, = Z/5Z, n = 4. Set &(x) = 24+ 4a? 4+ 42 +2 and L = F5[x]/(€(x)). Let 
Ye =x mod f(x), in which case L=Fy. A rank two Drinfeld module is given by dy =T7 +7 +2. 
We may instead take y, = x? +27 +2+3 in which case p= x? + 4x +2 and Fy © Fos and a rank 
three Drinfeld module is given by dy =7? + (a3 +1)7? +a7T+ a2 4274243. 


Given Drinfeld A-modules ¢,w defined over (L,y), an L-morphism u: ¢ > w is a u € L{r} such 
that ude = tau for all a € A. The set Endz(¢) is therefore exactly the centralizer of ¢, in L{r} and 
always contains the Frobenius endomorphism T”. 


2.3. The Tate Module 


A Drinfeld A-module induces an A-module on the algebraic closure L of L by setting a*¢ = $a(c) for 
a¢A,ce€L. Then for { € A the -torsion module of ¢ may be defined as [lf] = {c € L|¢:(c) = 0}. 
We will now consider the theory of the [-adic Tate module of a Drinfeld module, with the following 
material derived from [DH87] and [Ang97]. Setting [ to be any irreducible element of A different from 
p, define A;, K, to be the l-adic completions of A and K = F,(t) respectively. The -adic Tate module 
is defined as T)(¢) = Homa, (K1/At, lim ¢[I")). Then T;(@) is a free A; module of rank r and elements 
of Endz(¢) induce endomorphisms on T;() via left composition i.e. their action on lim ¢[I"]. The 
(geometric) Frobenius is the endomorphism on T;(¢) induced by 7”. 


Definition 2.2. The characteristic polynomial CharPoly(u) of u € Endy (¢) is the reduced character- 
istic polynomial of the induced morphism u € Endy, (Ti(¢)). 


CharPoly 4 (wu) is independent of the choice of f [Ang97], has degree r, and if deg(u) = d, has coefficients 


io,---+;@,—1 € A satisfying deg(a;) < ar-)) and 


r-1 
ur +S bau = 0. (1) 
i=0 
Example 2. Let F,, L be as in the context of example 1, and yz, = e+4e27+e¢4+1. A rank 5 


Drinfeld module is given by dy = (4a? + x? +2)r° + (x3 + 8a? +2 4+ 1)74 4+ (49 + 3)73 + (82? + 40 + 
A)r? + (403 + 4a? + 4x)7 + &? +40? +241. The characteristic polynomial of tT” on ¢ is 


Z> 4 3Z4 + (03 + 4a? + &)Z3 + (Qa? + 4a + 8)Z? + (03 + Qe? + 4 + 2)Z + 204 + 8a? + 42 + 2 


The main result of this paper is an algorithm for computing the characteristic polynomial of the 
Frobenius endomorphism. 


Theorem 2.3. Let ¢ be a rank r Drinfeld module over (L,y), and let u € End.(¢) be a degree d 
endomorphism. There is a deterministic algorithm to compute the characteristic polynomial of an 
endomorphism u of @ with bit complexity r®(n? log? q)'+° + dkr(nlog q)'+° for any d/m <k < d. 
In the case where u=T", this can be done with bit cost kr’ (n° log gq) teQ), 


3 Computational Preliminaries 


3.1 Operations on Fields, Polynomials, and Matrices 


Using FFT based algorithms, we assume that polynomials of degree at most n with coefficients in a 
finite field F, can be multiplied in time (nlogq)'t?™. Consequently, we will assume that a single 
elementary field operation consisting addition, multiplication, or inversion can be done with the same 
cost. 

We let w be a real number such that two s x s matrices over a ring R can be multiplied in O(s”) ring 
operations in R. The current best value for the upper bound on the exponent is w < 2.373 [Le 14]. 


3.2. Modular Composition 


Given polynomials f,g,h € F,[z] of degree at most n, the modular composition f(g) mod h can be 
computed in (nlogq)!*+°™ bit operations [KU08]. After a pre-computation step which computes 
x? mod h for each i < n, for b € L, Frobenius exponents bY can be computed at the cost of a single 
modular composition, and so the algorithm plays an important role in the cost analysis of this paper. 
As the Kedlaya-Umans algorithm does not admit a simple description of its algebraic complexity, we 
will use a bit complexity model throughout this paper. For practical purposes, modular composition 
algorithms can be assumed to use the classical algorithm due to Brent and Kung which has an algebraic 
complexity of O(n+))/?), 


3.3. Grobner Basis Construction and Explicit Field Issomorphism 


Grobner bases are an important construction for algorithms over multivariate polynomial rings, and 
algorithms for producing them from an ideal in ¢ variables of total degree at most D have been 
extensively studied [Buc76] [Fau02]. It is known in that the worst case complexity of a general 
algorithm must be at least D* since the output may either contain that many elements, or elements 
of doubly-exponential degree [Dub13]. The algorithm we present will require that we map coefficients 
from a working ring over which the main computational operations are performed to an output ring 
where the coefficients can be directly read off. As we will be working with ideals in a trivariate 
polynomial ring, the computation of a Grodbner basis will not contribute and exponentially to the 
overall complexity. Further still, we will treat the determination of this map as part of a preprocessing 
step and we will not include it in our overall complexity analysis. 

In the prime field case, the task will reduce to computing an explicit field isomorphism between 
6: L — Fy such that d(ya) = amodp for a € A. This can be done by factoring ¢(x) over F,[z] 
and using multi-point evaluation to locate a root ¢ of €(x) such that 6, = ¢ gives the desired map. 
This can be done using a randomized Monte Carlo algorithm costing (n'? log q + nlog? gyre bit 
operations to factor ¢(x) [KU08]. 


4 Prior Work 


4.1 Algorithms for Computing the Characteristic Polynomial of the Frobe- 
nius Endomorphism 


The question of computing the characteristic polynomial, particularly of the Frobenius endomorphism, 
was studied in detail in [Gek08] for the rank two case only. The most general approach constructs a 
linear system based on the degree constraints of the coefficients a; = pea i Qj,5 9 
Evaluating the Characteristic polynomial at the Frobenius element and equating coefficients gives a 
linear system based on 


n(r—i) 


r—-1 —>— n(r-7t) 
ge + ys > S- deter = 0. (2) 

i=0 j=0 k=0 
Letting MinPoly(u) denote the minimal polynomial of u, the solution of the preceding system is unique 
and yields the characteristic polynomial if and only if MinPoly(u) = CharPoly(w). 
Garai and Papikian gave an algorithm for computing the characteristic polynomial [GP 18, §5.1] valid 
for the “prime field” case only. As with the Gekeler system, this approach relies on the explicit 
computation of ¢,:, which is the dominant computational step. This can be done by O(n”) evaluations 


of the recurrence fi41,5 = yt fig + Myer AY ; fij-t- Thus the bit-complexity of computing all of 
es Px2,-++, ban is r(n® log(q)) te. 

Further study of algorithms for the rank 2 case specifically was done in [Nar18] and [MS19], with the 
latter focusing on the complexity of the algorithms and using the same computational model that will 
be used here. 


4.2 Kedlaya’s Algorithm 


Fix a hyperelliptic curve C of genus 2g over F, defined by the Weierstrass equation y? = f. A theorem 
of Weil’s tells us that the order of the Jacobian Jac(C). The main procedure of Kedlaya’s algorithm 
aims to compute the characteristic polynomial of a lifting of the Frobenius to the Monsky-Washnitzer 
cohomology, with coefficients in Q, = Q,|z]/(f), of a closed subvariety of the hyperelliptic curve. 
The hyperelliptic involution on C’ induces an involutive operator on the cohomology which splits into 
a direct sum of positive and negative eigenspace. The algorithm proceeds by computing the matrix 
representation of the Frobenius with respect to a basis for the negative eigenspace, which can be done 
to some finite precision. 

Our algorithm follows the general approach of Kedlaya’s: we compute a matrix for the endomor- 
phism acting on the Crystalline cohomology with coefficients in a ring of Witt vectors. The induced 
endomorphism turns out to be quite simple to describe in terms of skew-polynomial multiplication, 
which eliminates the need for a complicated lifting step. Moreover, a simple recurrence relation makes 
computing the action with respect to a basis quite simple to describe and implement. 


5 The de Rham and Crystalline Cohomology 


The construction of the de Rham and Crystalline cohomology of a Drinfeld module can be found in 
[Ang97] and [Gek11] and appear to be due to Gekeler. The set of derivations, D(¢, L) of a Drinfeld 
module ¢ is the set of F,-linear maps 7: A + L{r}r satisfying the relation 


Nab = YaN + Nad 
The evaluation map 7 +> 7, gives a bijective mapping D(¢,L) > L{r}r. The set of strictly inner 
derivations D,;(¢, L) is the subset of D(¢, L) containing derivations of the form 7_ = y(a)n — ndq for 
any choice of n € L{r}r. D(¢, L) can be made into a projective module in the following manner. 


Definition 5.1. /Ang97, Lm 2.3] The set D(¢,L) is an L[X]-module under (X * ))a = Nab: 


Let J, be the ideal of L[X] generated by X — yz, then Dgi(¢,L) = I, D(¢,L) [Ang97, Lm 2.4]. 
Set Wy = L[X]/IF and W(L) = lim W;, = L|[z]]. Thus W(L) comes equipped with projections 
7 : W(L) + Ws corresponding to truncation of the power series at degree k and mapping z OH X—74-z. 
We have canonical inclusions 1, : A + W, sending 1,() = X mod IK. These inclusions lift to an 
inclusion .: A > W(L), simultaneously commuting with each 7, which represents elements of A via 
their [,-adic coefficients. The situation is summarized in the following diagram. 


W(L) 


va 


A= Wy 


Moreover, for each k, there exists a unique ring homomorphism x; such that the following diagram 
commutes. 


k 


W(L) 
- | 
A —*> W; 


Xk 
mod p* 


F,[x]/p* 


Lemma 1. There exists a unique map yx : tx(A) + F,[2]/p* such that xx (vx(a)) = a@ mod p* for all 
aca. 


Proof. Since ker(m,) lies above (p*), ker(t,) = (p*). Thus for w € Wz, we can set x, (w) =o, '(w) mod 
p*. 


The details of how to compute this homomorphism are discussed in section 5. 

The crystalline cohomology H?,,,(¢,L) of ¢ is the W(L)-module W(L) @1{.] D(¢,L). Moreover, the 
precision k cohomology spaces H;‘(¢,L) are defined as W;-modules D(¢, L)/I D(#, L). The de Rham 
Cohomology is the L-vector space D(¢, L)/Dsi(¢, L) = Hi(¢,L). 

He-ys(, L) is a projective L[X]-modules from the action on D(@,L) and a free module of rank r over 


W/(L) respectively [Ang97], with canonical basis 7 such that 9? =r! for 1 <i <r. 
The following lemma is a generalization of a recurrence noted by Gekeler [Gek11] for r = 2. 


Lemma 2. Let # € Hé,,.(¢,L) such that AY =7' For any k > 1: 


r hs : ; 
STAT HEM = XGO (3) 
i=0 


Proof. This follows directly from the module action of L[X] on H%.,.(¢, L) by computing the evalu- 


crys 
ation of X49) at « and commuting 7” across the defining coefficients A; of ¢. 


(XA Jn = Tbe 


1=0 


i=0 


Set [k] = y(at —«). In the case of the de Rham Cohomology, the recurrence of lemma 2 becomes 


yoatn (k+i) 4 Tk [k]n (k) 9 (4) 


5.1 Induced Endomorphisms on H;,.,,(¢, L) 


Morphisms u : ¢ — ~% induce morphisms uj : Hg(¢,L) > Ag(y,L) and u* : Hz,,.(¢,L) > 
Hy.y5(w,L) by acting as uZ(})« = fru. As Hz,..,(@,L) is free over W (IL), one can define the charac- 

teristic polynomial CharPoly(u*) in the usual manner. 

Recall that CharPoly(w) denotes the characteristic polynomial of the induced endomorphism on the 

(-adic) Tate module associated to ¢ and has coefficients in A. The following theorem due to Anglés 

aes Thm. 3.2] relates this characteristic polynomial to that of the induced endomorphism on 
ys (9, L). 


Theorem 5.2. CharPoly(u)’ = CharPolyy(z)(u*). 


Moreover, recall that since coefficients of CharPoly(w) have degree at most d, it suffices to compute 


the coefficients in W(L) up to precision k = +, 


Corollary 5.1. CharPoly(u) ™°¢ pe CharPolyw () (u*)XKOmR 


6 Computing the Characteristic Polynomial 


We can now state the algorithm referenced in theorem 2.3 for arbitrary e €, and its correctness follows 
directly from theorem 5.2 and equation 3. 


1. Compute representations for 7+ € Hj(¢,L) for 0 < 6 < d and 1 <i <r in the standard 
basis using the recurrence given by (3) fe k> 4, 


2. Using the coefficients computed in step 1, construct the matrix for wu acting on Hj(¢,L) and 
compute its characteristic polynomial. 


3. Apply the map yx to the coefficients of CharPolyy,, (u) to recover CharPoly 4 (wu) ™°4 Pe 


Step 1 requires the computation of the recurrence of equation 3 for d iterations, which involves 
computing dr terms of the form A which can be computed once each using modular composition at 
a total cost of dr(nlogq)!t°™, followed by O(dkr) products in L to compute successive coefficients 
in Wx at each application of the recurrence, which leads to step 1 having an overall complexity 
of dkr(nlogq)'t°™. Step 2 has the cost of computing a linear combination of d+ 1 many r x r 
matrices over W;,, as well as computing the characteristic polynomial of an r x r matrix with entries 
in W;, which can be done with O(r“) operations in L [NP20]. The overall runtime is therefore 
r”(n? log? q)!+°D + dkr(nlog q)'+°™ as claimed. 


6.1 Computing the map y; 


The final step requires computing the image of the coefficients of under the map yx : x(A) > A/(p*). 
The input to this procedure are elements in L[X]/(X — y.)*; these may be represented as bivariate 
polynomials inside F,[y, X]/(¢(y),(X — yx(y))*). The tower Fy C L can be represented using a 


triangular set (p(x), 9(#,y))) such that L = F,[z,y]/(p(2), g(a, y)). Set W = Falz,y, X]/(p(a), (X — 
x)*,g(a,y)) and from the preceding construction we have W & W,,. 


wa 


We can convert elements of W to elements of F = F,[X,2,y]/(p(X)*, (a — T(X)),G(X,y)) via a 
procedure similar to the tangling method of [HL17, §4.4]. F carries with it a canonical embedding 
from the subring F,[X,a]/(p(X)*, (a — T(X))) @ Fy[X]/(p(X)*). Note that 1, includes A in W by 
sending >>, ajz’ + So, a;X* mod I *, and therefore it is easy to check that the resulting map from 
“tangling” W to F and applying the aforementioned canonical embedding satisfies the commutativity 
requirement and therefore gives the desired map xx. 

Converting the field representation of L to elements of F,[z, y]/(p(x), g(a, y)) has the cost of a modular 
composition, while the cost of mapping elements of W to F is (nlogq)!+°™ log? k. 


6.2 Computing the Characteristic Polynomial of the Frobenius Endomor- 
phism 

In the particular case where u = 7”, we may speed up the computation using a baby-step giant-step 

procedure to compute the terms {7+ }"_, based on the approach used in [DNS21]. Let A; = — a 

and define A, € M"*"(W;) by 


Nee ONS Ag Ag +% 
1 0 0 0 

A,=| 0 1 0 0 (5) 
0 0 1 0 


Let 7 € Wf denote the row vector of 7 with respect to the standard basis #("),...,7. Then: 


Later Boome 
a(rtt— m(rt+t—2 
1) 1) 
= As (6) 
Att) rise 
Thus: 
Hert) 
qt) 
SAeytAy (7) 
Arty) 


Computing the required terms of the sequence therefore reduces to computing the matrix product 
A= A,...Ai. For this, it is possible to leverage the approach used in [DNS21]. Consider the 
following element of M"™*"(W;,) 


Ap—1 Ap—2 tee Ay No 0 0 Az! 
1 0 ... O 0 0 0 6 
B(X) = 0 1 .. O 0 ao XxX 
0 0 ee | 0 ae e 


For M € M'™*"(W,) let M [1 denote entry-wise application of coefficient-wise exponentiation of el- 
ements of W; by q’ and let n = n*nj + no with n* = [Jn] ni,no < [Yn]. Setting C = 
Bir’ +no] | Blro+) and Cy = Bll... Bl), we obtain A via the product 


ny—-1 
A= ( II cll cg 
i=0 


t 
Setting up C,Co has the cost of r./n entry-wise modular compositions for computing A? for i < r,t < 
n* + no, followed by \/n matrix products with polynomial entries of degree at most [./n]. 


Computing all C!'""] costs O(kr?,/n) modular compositions over L, contributing a cost of kr?(n!° log q)!+°), 


Finally, recovering A requires \/n matrix products with coefficients in W,, adding a bit cost of 
kr“n! log q. This completes the cost analysis component of theorem 2.3. 


Algorithm for computing the Characteristic Polynomial of the Frobenius 
1: procedure CHARPOLYALG 


2: Input A field extension L of degree n over Fy, (Ai,...,A,) € L” representing a rank r 
Drinfeld module ¢ over (L, y). 
3: Output a; € A such that the characteristic polynomial of the Frobenius is X" + 4 aX". 
4: n*,n1,n9 — [rn], |n/n*|,n mod n*. 
Aj + -3# forO<i<r-1l. 
Ap_-1 Apo ... Ay Ao 0 0 Kea 
1 0 .. O 0 - 
On O56 4 0 

6: Be 0 1 can. 0 0 oe) X € M™*"(W,). 

0 0 te 1-20 po : 
7 Ce Blt |, Bipot], 


8 Coe Biol... BE 


ny—-1 
9: At ( II cl Icy 


i=0 
10: 4; + coefficient of Z* in det(A— ZI) 
return (xx (Go), Xk (41), +--+, Xs(@r—1)) 


7 Experimental Results 


An implementation of the algorithm of section 5 was created in MAGMA [BCP97]. The timings 
presented here exclude construction of the finite field and the extraction of coefficients by computing 
the map yx. 


Run Times for m = 10, ¢ = 25 in milliseconds 
n = 100 | n = 200 | n = 300 | n = 400 | n = 500 | n = 600 | n = 1800 | n = 2700 
r=5 0.170 7.320 39.880 95.340 145.240 | 288.470 
r=12 3.720 149.870 | 403.000 
r= 23 48.090 
r = 900 
r = 1800 


In this work we will explore the multiplication of matrices of skew polynomials over a finite field Fy. 
In particular, we will examine the implications of a number of algorithms on the bit complexity of 
matrix multiplication and determine whether there are any improvements to naive estimates based 
on black-box matrix multiplication algorithms. 

Throughout this work we work over a pair of finite field Fy C Fgn. We let o denote an automorphism 
of Fj» fixing Fy. We define the ring of skew-polynomials Fn {x; a} to be the set of polynomials in the 


variable x with coefficients in Fgn, ere a;x’ subject to the commutation rule ra = o(a)x. L{t}<a 
denotes skew polynomials with degree strictly less than d with similar notation for <, >,=, etc. 


7.1 Algorithmic Background 


For analyzing the complexity of operations conducted over finite fields, an algebraic model counting 
base field operations is typically used. However, there are certain cases where a precise algebraic 
description is unsuitable. Of particular relevance to operations over skew polynomials is Kedlaya and 
Umans’ celebrated modular composition algorithm [KU08]. Given polynomials f,g,h € F,[T] each of 
degree at most d, the modular composition algorithm computes f(g) mod h. The classical algorithm 
due to Brent and Kung uses O(d“+/?) field operations in Fy. The Kedlaya & Umans algorithm does 
not admit a simple algebraic description of its complexity, but offers a bit complexity of (d? log q)!+°™; 
@ was originally shown to be 1+e€ but we may take @ = 1. To allow for the incorporation of the Kedlaya 
& Umans modular composition algorithm this work will use a bit complexity model rather than the 
usual algebraic one. 

We will use M(d) to indicate the complexity of multiplying two degree d polynomials over F,. Typi- 
cally, M(d) = (dlog(q))'*?™. Moreover, we let w denote the real number such that two r x r matrices 
with entries in a ring R can be multiplied using at most O(r”) basic ring operations. 


8 Multiplication of Skew Polynomials 


As of this work, there are two major competitive algorithms for multiplying skew polynomials due to 
Puchinger & Wachter-Zeh [PW17] as well as Caruso & Le Borgne [CB17]. 


8.1 The Puchinger & Wachter-Zeh Algorithm 

When s <n, the algorithm described by [PW17, Th.7] has the better bit complexity. Set the factors 
a= ee ax’, b= ae bx’, and set d* = [/d+1]. We can split a into a sum of d* terms of the 
form a = pwr, diax 45x"? *J such that a = pie a”, This in turn splits the product ¢ into d* 


terms c = Sas ce with C = ab. We can multiply through the expression for c: 


d*-1 d d+d*—-1 k 
cf) = > : dian "4 a xe") = 6 "ide 450" +4 (b,—;)a*4 -) 
j=0 k=0 


k=0 j=0 


Construct matrices A, B,C such that: 


Aig =o (aian4) (8) 
Big = 0' (bei) (9) 
Cink = a (c\?) (10) 


Where 0 <i,7 < d*—1,0<k <d+d*—1. We may refer to A and B as the left and right companion 
matrices respectively. Thus, we may compute c by computing the matrix product C = A- B to 
determine the entries o~'” (co), through which we may compute c = aire 2 a of). The 


computationally intensive steps are computing the action of O(d!/?) distinct automorphisms ot“ , 


o 


for up to O(d3/ ?) elements, as well as computing the matrix product. Constructing the companion 
matrices A, B, as well as recovering the final result from the matrix product AB takes overall time 
(d3/?n® log q)'+°™), while computing the matrix product itself takes O(d™in(e+))/?.1.635) 47 (n)) 


Algorithm Skew Polynomial Multiplication [PW17] 


Input Skew polynomials a,b € Fy» {x;o} of degree at most d. 
Output Skew polynomial c such that a-b =c 


1: Construct matrices A, B as given in equations 8 and 2. 

2: Compute the product C = A- B. 

3: Compute cl!) = 0-4" (C;,) 

4: Compute and return the product c = arg ass cl) 


8.2. The Caruso & Le Borgne Algorithm 


Here we will provide an overview of the algorithm given in [CB17, Sec.2]._ The critical insight of 
the algorithm is their proposition 1.6, which relates the action of skew-polynomials to commutative 
multiplication modulo T” — 1. We restate the proposition here: 


Proposition. [CB17, Prop. 1.6] Let T be a commutative variable, and fix a normal basis s9,..., 8n—1 
for Fn /Fq and let s = vo s;T". Further let a = rp ain? € Fgn{x; 0} and set a(T) = 0%) aT’, 
c, = a(s;) and c(T) = )o eT". Then 


c(T) = a(T)s(T) mod T” —1 


Namely, the above proposition reduces computing the action of a@ on a normal basis to commuta- 
tive polynomial multiplication when both are considered modulo T” — 1. Given any two a,b € 
Fan {x;o}/(a” — 1), the product ab € Fy»{z;0}/(x" — 1) can be computed as follows: 


Algorithm Skew Polynomial Multiplication [CB17] 


Input Skew polynomials a, b € Fyn {x;o} of degree at most d. 
Output Skew polynomial c such that a-b =c 


1: Compute c(T) = a(T)s(T), ¢ (LT) = v(T)s(T). 

2: Extract from c,c’ the matrices M,, My respectively for the action of a,b on Fgn/F where the 
domain uses the normal basis and the co-domain uses the standard basis. 

3: Compute M,BM, where B is the change of basis matrix from the standard basis to the normal 
basis. This gives the action of the product ab on Fn /Fy. 

4: Given the product M,BM, compute the corresponding é(T’) such that és~'(T) = a(T)b(T) and 
extract the coefficients of ab 


The main computational bottlenecks are the computation of the matrix product MBM", which costs 
O(n”) F, operations, as well as the construction of a normal basis for L over Fy. 

A related algorithm is optimal when dega + degb = d < n. This version proceeds by computing 
the action of b on a partial normal basis {s9,..., sa} of size d+ 1 and determining the corresponding 
matrix. By computing the polynomial c(T') as done previously, the matrix for the action of a on the 
entire normal basis can be determined, and multiplying these two matrices together requires an n x n 
with n x (d+ 1) matrix product and gives the action of ab on {50,...,sa}, from which ab may be 
interpolated. Using their algorithms for doing interpolation and evaluation on a partial normal basis, 
they devise a run-time complexity of O(d”~?nM(n)) plus the cost of constructing a normal basis. 
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9 Multiplication of Matrices over Rings of Skew Polynomials 


Given the intricacies of direct multiplication of skew polynomials, there are a few opportunities to 
examine whether improvements over naive estimates of the complexity of matrix multiplication can 
be achieved. For skew polynomial matrices a = ae an, B= ia bjx* where aj,bj are r x T 
matrices with entries a bi Bie Fn one can use any skew multiplication algorithm as a black box to 
obtain a matrix multiplication algorithm yielding a complexity O(r’SM) where SM(d) denotes the 
complexity of the chosen skew multiplication algorithm. To improve on this, the general approach we 
will use to leverage existing multiplication algorithms can be summarised as follows: 


1. Apply a pre-processing step to the coefficients of the matrices a,b, which transforms matrices 
over Fyn{x;o} to matrices over a ring with more computationally efficient multiplication. 


2. Apply a black box matrix multiplication algorithm. 
3. Recover the skew polynomial entries of the product. 


For multiplying skew polynomials modulo x” — 1, we will recall that there is an isomorphism: 
op : Lit}/(a" — 1) + Endy, (Fg) taking skew polynomials right-modulo x” — 1 into the F,-linear 
endomorphisms of Fyn. This sets a tight complexity bound of O(r’n”) for multiplication inside 
L{r}/(a” — 1). 

Note that the transform sending a skew polynomial to its left or right companion matrix is linear. 
Therefore, the algorithm of Puchinger and Wachter-Zeh can be modified to fit the general spproach 
as follows: 


1. Compute A, an r x r matrix whose entries A?* are square matrices of size d* over Fyn equal 
p , q q 


to the left companion matrix of a" 37, a?*z?. Similarly, B is an r x r matrix with rectangular 
Dp a a y; g 


entries BY-* corresponding to the right companion matrices of b/* = So, b!*2'! 
2. Compute C = A- B. 


3. Apply the inverse transform of step 4 in algorithm 1 to compute the skew-polynomial corre- 
sponding to the block C*4 = 7) _, Ab* BE, 


Applying the naive algorithm directly yields a bit complexity of r” (a> n® log q)!to) 4¢qmin(“3* 1.635) M(n). 
The above procedure however has an overall complexity consisting of two components: (r2d*2~ n® log q)!+° 
term coming from the entry-wise transform and inversion of the companion matrices and their product, 

as well as r@dmin(“3" 1.635) yy (n) coming from the black-box multiplication of the block matrices. 

When n?/@-“) < d <n, using the Small Degree Multiplication algorithm from [Algorithm 5; 
CB17] is asymptotically optimal. This too admits a more nuanced extension of the algorithm to the 
matrix multiplication setting. In particular, one may perform the partial evaluations of the right- 

side operators b/* and the total evaluation of a/* entrywise, and then perform interpolation on the 
resulting block-wise product. In addition to the cost of constructing the normal basis, preparing the 
block entries, as well as the final interpolation step, takes time O(r?nM(n)). The main bottleneck 

is the block-wise multiplication step, which takes overall time O(d’~?n?r”), which eliminates any 
possible complexity gains over the naive approach. 
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